In today’s world, virtually every organization is subject to some sort of regulation. Consequently, virtually every organization has some structure in place to ensure ongoing compliance with those regulations. And for good reason: Failure to comply can result in financial penalties, possible jail time for executives, and significant reputational damage.
In small organizations, the compliance function may consist of just one person — perhaps handling compliance on the side. Large organizations are more likely to have a full-fledged compliance function, often set up as a compliance and ethics department, usually under the legal umbrella. In very large organizations, the compliance and ethics programs may be separated because of the workload required of each.
But regardless of the company structure, any organization that is not coordinating its internal audit and compliance functions is missing a beat. “When internal audit ensures the compliance program has a strong structure, the compliance department can ensure the business has a strong program that mitigates business risk,” says Cecelia Jefferson, an attorney and compliance professional in Amelia Island, Fla. A former director of alcohol, tobacco, and firearm compliance for Walmart U.S., Jefferson skimps no words in describing the critical role internal audit plays in compliance. “Once the compliance department understands the year’s business goals, it will design any changes or upgrades needed to ensure the business remains compliant. Internal audit should be included in these discussions.”
Understanding the business objectives, and how the compliance department plans to assist the business in achieving them, helps internal audit determine where, how, and how often to provide support. Identifying those questions is relatively straightforward. Answering them in the most effective way, especially in the face of competing demands on resources, can be tricky.
Internal Audit and the Compliance Function
|Basics of Auditing Compliance|
The following terms and concepts are sure to play into internal audit’s compliance activities:
- Inherent risk — The risk level or exposure without considering the actions that management has taken or might take (e.g., implementing controls); often falls into one or more of four categories: legal, financial, business, and reputational.
- Residual risk — The remaining risk after management has implemented a risk response.
- Compliance risk — The threat posed to an organization’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. Shelton defines compliance risk in broad categories: assessment risk, access risk, people risk, response/recovery risk, evidence suitability and retention risk, and change management and segregation of duties risk. Specific examples of compliance risk include worker safety regulations for manufacturers; amount of margin allowed for investment accounts; managing crisis and remediation while defending the organization and its executives/board members against legal enforcement; levels of commission to sales agents; and banking legislation relating to customer identification and verification, financial advice, and lending.
- Pertinent standards — According to Haig, her “go-to standards” when dealing with compliance are IIA Standard 2110: Governance and Standard 2120: Risk Management. Also see Standard 2050: Coordination.
There are probably as many ways for internal audit to perform its role in compliance as there are internal audit and compliance functions worldwide. One approach is for internal audit to engage with compliance on two levels, which Nancy Haig, director of internal audit and compliance at a global consulting firm headquartered in New York, calls “macro” and “micro.” At the macro level, internal audit examines the effectiveness of the organization’s compliance program. “Internal audit needs to discover how the compliance function is getting its information,” Haig explains. “Is it doing regular scans of the environment? Is it getting qualitative and quantitative input across the board? Is it calculating the residual risk in all compliance areas?”
At the micro level, internal audit drills down on selected risks the compliance function has identified as priorities. If the compliance function has done a risk assessment, it may be possible to leverage it; if not, internal audit may need to perform one. Mitigation plans are only as good as the risk assessment on which they are built.
Naohiro Mouri, executive corporate officer and chief internal auditor at AIG Japan Holdings in Tokyo, also takes a two-pronged approach. “We audit compliance in itself, as a separate audit engagement, but we also look at compliance risk that is embedded in the processes of the business units as we do our regular audits of them.”
The internal audit charter is critical in defining internal audit’s role in compliance. “One of the key objectives of internal audit as articulated in our charter is to ‘assist the directors to discharge their duties in ensuring that the relevant compliance and risk management processes are in place,’” notes Jenitha John, CAE at FirstRand Bank in Johannesburg, South Africa. In her bank, the internal audit function performs compliance audits to assess whether there are adequate and effective controls in place for the organization to comply with relevant legislation and to ensure ethical business conduct. Internal audit follows up on control gaps by monitoring remediation, identifying thematic compliance issues across the organization, helping guide the compliance function to focus on high-risk areas, and assessing and providing an opinion on the maturity of the organization’s regulatory risk management process. These efforts are paying off, says John, who reports “a downward trend in significant compliance audit findings.”
Debbie Shelton, director of IT security and compliance at LG&E and KU Energy LLC in Louisville, Ky., offers a slightly different approach to the types of engagement between internal audit and compliance. “With a detailed understanding of the organization’s compliance risk assessment, internal audit can first focus on the foundations of the assessment,” she explains. This leaves responsibility for the assessment where it belongs — in the business — with internal audit adding assurance that the assessment methodology is sound or raising questions about levels of residual risk that appear to be in excess of the approved risk appetite. She further notes that internal audit should be delving into the assumptions that are made and documented within the assessment model, how the assumptions are communicated, and whether all those inputting into the model understand the assumptions in the same way.
At the second level of Shelton’s approach, which occurs once the foundation has been determined to be sound, internal audit can focus on the actual entries by examining issues such as how the organization ensures completeness, whether a requirement-by-requirement accountability document is provided to all those involved in the assessment, and how those with accountability ensure updates are made timely.
Approaches differ by company, but all are aimed at securing positive outcomes. Greg Jordan, senior vice president and CAE at Nationwide Insurance in Columbus, Ohio, describes a tangible benefit of the expanded role internal audit plays in compliance in his company: Internal audit staff is rotating out of internal audit into the compliance department, and compliance professionals are moving into internal audit. “Roll the clock back a few years,” he says. “That sort of career path didn’t exist.”
Building a Partnership
Working together effectively requires a strong commitment to collaboration and partnership. Both internal audit and compliance must share a focus on best practices, cooperative effort, and information sharing.
Mouri’s internal audit team relies on the compliance department to provide education on changes in regulations that might generate new risks or reporting requirements. For their part, when internal auditors find issues in their audits that indicate a regulatory breach, and if that breach is significant enough, they ask the compliance function to report it to the regulators. “They are the experts in this area,” he explains. “We rely on their judgment rather than making compliance decisions ourselves and reporting to the regulators.”
Jordan notes a similar activity within Nationwide. “We have a regulatory assessment distribution process we audit regularly,” he says. “It monitors regulatory activity that affects our business units, what changes these regulatory activities entail, what dates the changes become applicable, and which business units are affected and need to receive information to incorporate into their business plans. Compliance tracks the regulations and internal audit understands the key compliance-related risks.”
Shelton proposes that collaboration center on identifying all compliance requirements and reviewing an existing risk assessment of requirements or collectively completing one. She further suggests, “Use the authority each organization has in engaging participants in the audit. Speak with subject matter experts in the company. Seek documentation outlining why key compliance decisions were made.”
Collaboration may best be accomplished by simply talking to each other. Haig describes an effective monthly meeting at one of her previous employers, in which the CEO and the heads of internal audit, compliance, and legal discussed emerging risks, trends, and mitigation plans. Similarly, in her prior role at Walmart, Jefferson led a consortium of business stakeholders, including compliance and internal audit, which met on a weekly basis to discuss activity within the compliance program. The internal auditors, Jefferson says, “served as a second set of eyes to ensure we were appropriately identifying and mitigating all risks and the proposed solutions did not create problems for the program or other stakeholders.”
Jordan conducts his own frequent meetings with his counterparts — the chief compliance officer and the chief risk officer — and engages in a monthly meeting between internal audit and the compliance department in which they review any changes in the organization’s risk landscape and inform each other of pertinent upcoming activities. “We talk with general counsel and compliance during regular audit planning for each engagement, to make sure nothing of a regulatory nature has changed that would affect the audit,” he adds. “We also invite compliance to our internal audit status meetings and, when there is an issue of regulatory impact, to closing conferences with audit clients.”
It’s not all a matter of meetings, however; technology plays a role in facilitating collaboration, as well. John notes the need for formal combined assurance platforms that drive ongoing and consistent engagement between internal audit and compliance. One of the key levers to drive this collaboration is eGRC technology, which improves visibility of the organization’s compliance risk profile. John’s organization is currently implementing an eGRC platform across governance functions, including compliance, to drive holistic compliance risk management.
Leveraging the Compliance Risk Assessment
One of the most common areas of cooperation and coordination between internal audit and compliance focuses on internal audit’s use of the compliance risk assessment done by the compliance department, as either stand-alone output or as a contribution to the organization’s enterprise risk assessment. Given that most organizations operate under time and resource constraints, getting multiple uses out of a single work product is advantageous. But, due diligence must be done. In this context, that means before relying on the compliance department’s compliance risk assessment, internal audit must review that risk assessment for effectiveness and to ensure that the compliance function has done, in Haig’s words, “an effective job.”
|Elements of a Compliance Program |
Compliance program elements may include:
- Policies and procedures.
- Narratives and control documentation.
- Risk, responsibility, and compliance matrixes.
- Metrics, such as degree of employee knowledge/awareness of compliance risks and benchmarks of peer organizations.
- A framework that lays out the organization’s compliance risk landscape and organizes it into risk domains, and a methodology that contemplates both objective and subjective ways to assess those risks.
- Root cause analysis process.
- Communication plans for internal and external audiences.
- Training plans focused on key compliance risk areas.
- Testing plans.
- Monitoring processes.
- Consistent enforcement, plus escalation and response plans in the event of violations.
Assessing the risk assessment’s effectiveness starts with asking pertinent questions about the frequency of update, the sources of the information, the extent of coverage of regulatory risks, the amount of engagement with and involvement of the legal department, the prioritization of risks based on the residual risk assessment, the evaluation of controls to manage and mitigate specific risks, the alignment between the results and the organizational risk appetite, and the degree to which irregular findings are investigated and controls added as needed. In addition, it may be useful to consider whether someone outside the compliance department can pick up the department’s workpapers and see how the compliance staff came to its conclusions relative to frequency and magnitude of risk.
Shelton proposes another test that would be well-suited for organizations in which several groups or departments have processes for compliance assessments. “Internal audit can assess whether consolidating best practices into an organizational program might be of benefit and, if so, make — and possibly facilitate — that recommendation.”
John explains that her company’s assessment of the effectiveness of compliance risk assessments is based on a regulatory risk management maturity model. Specifically, she notes certain elements she calls fundamental to compliance risk assessment effectiveness:
- The governance and strategy in place to drive the consistent and complete assessment of compliance risk in the organization. She elaborates, “This includes an evaluation of governance committees, frameworks, senior management (risk owners) sign-off on the regulatory universe/risk assessment, and consideration of the involvement and influence of the compliance function in the industry’s regulatory landscape.”
- The adequacy and effectiveness of the compliance risk resources, including the level of skills within the compliance function.
- Identification, measurement, and risk mitigation for high-risk legislation as per the regulatory universe. This includes assessing whether sufficient key risk indicators have been formulated to monitor risks and continually strengthening the compliance control environment.
- Risk monitoring plans to make sure that first and second lines of defense ensure the adequacy and effectiveness of controls in place to mitigate risks identified.
- Risk reporting processes to ensure that a clear and complete risk profile of the organization is reported and monitored appropriately.
Regardless of how engagement between internal audit and compliance occurs, there is broad support for ensuring that this engagement does happen. Internal audit can actively drive combined assurance in the organization by collaborating with the compliance and risk management functions in performing audits. This collaboration improves the coverage of compliance risk assurance and reduces duplication of effort.
And, ultimately, internal audit has an innate need to become involved in assessing compliance. According to The IIA’s International Professional Practices Framework, the mission of internal audit is to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” In other words, understanding, evaluating, and mitigating risk are internal audit’s purpose. For many organizations, there are few, if any, risks more significant — in financial and reputational terms — than failure to comply with existing regulations. Internal audit cannot fully achieve its mission if it does not include compliance in its remit.
“In my company, compliance and internal audit are true partners in risk management,” Jordan says. “Our viewpoint is that it’s better for everyone if we can work together to reduce our regulatory burden. We focus on achieving the benefits for the business and doing the right things by the stakeholders.”